Upload
ijeceditor
View
229
Download
0
Embed Size (px)
Citation preview
8/13/2019 An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol
http://slidepdf.com/reader/full/an-ids-for-detecting-misbehavior-nodes-in-optimized-link-state-routing-protocol 1/5
International Journal of Advanced Computer Science, Vol. 1, No. 2, Pp. 87-91, Aug. 2011.
Manuscript Received:20, Aug., 2011
Revised:4, Sep., 2011
Accepted:5, Sep., 2011
Published:
15, Sep., 2011
Keywords
IDS,OLSR, MANETs
Abstract Several approaches have been
proposed for Intrusion Detection Systems
(IDS) in Mobile Ad hoc Networks (MANETs).
Due to lack of MANETs infrastructure and
well defined perimeter MANETs are
susceptible to a variety of attacker types. To
develop a strong security scheme it is
necessary to understand how malicious nodes
can attack the MANETs. Focusing on the
Optimized Link State Routing (OLSR)
protocol an IDS mechanism to accuratelydetect misbehavior node(s) in OLSR protocol
based on End-to-End (E2E) communication
between the source and the destination is
proposed.
The simulation results showed that the
proposed mechanism is able to detect any
number of attackers while keeping a
reasonably low overhead in terms of network
traffic.
1. Introduction
Wireless Mobile Ad-hoc Networks (MANETs) areexpected to play a very important role in many types ofapplications. Such as military exercises, disaster relief,
community wireless and mine site operations. MANETs are
consisted of a collection of mobile nodes interconnected by
wireless links without any fixed infrastructure. Due to lack
of MANETs infrastructure and well defined perimeter,
MANETs are susceptible to a variety of attacker types.
Providing effective security for MANETs has become one
of the main challenges for researchers.At present, the Internet Engineering Task Force (IETF)
Mobile Ad hoc Networks Working Group has standardized
five routing protocols: Ad hoc On-Demand Distance Vector
(AODV)[1], Dynamic Source Routing (DSR)[2], OptimizedLink State Routing (OLSR)[3][4], Topology Dissemination
Based on Reverse-Path Forwarding (TBRPF)[5] and
Dynamic MANET On-demand (DYMO)[6].
The Optimized Link State Routing (OLSR) protocol offers
Ahmed Mohamed Abdalla PAAET, Kuwait
Imane Aly Saroit Cairo University
Amira Kotb Cairo University
Ali Hassan Afsari Kuwait University
promising performance in terms of bandwidth, required
overhead, and delivered traffic.In this paper, we present an intrusion detection system to
accurately detect misbehavior node(s) in OLSR protocol
based on End-to-End (E2E) communication between the
source and the destination. The proposed mechanism is ableto detect different attack types that could occur along the
source-destination path by utilizing special messages.
Although analysis is focused on OLSR protocol, the
proposed solution is applicable to other routing protocolsfor MANETs.
The rest of this paper is organized as follows. Section II
presented the background review for the OLSR protocol.
Section III presents the IDS overview and related works thatare important for the understanding of the material to follow.
Section IV presents the proposed contribution. The
simulation results and discussion presented in section V.
Finally, conclusions drawn from the paper and future workare given in section VI.
2. The Optimized Link State
Routing (OLSR) Protocol
OLSR is the table driven, proactive routing protocol
designed for mobile ad-hoc networks. It exchanges routing
information periodically and has route immediatelyavailable when needed. The OLSR protocol achieves
optimization by determining for each node of the network a
minimal subset of neighbors, called Multi Point Relays
(MPR) which are able to reach all 2-hop neighbors of the
node. Generally two types of routing messages are used a
HELLO message and a Topology Control (TC) message
[3-4].
1) HELLO message is periodically broadcasted by eachnode and contains the sender's identity and three lists:
- List of neighbors from which control traffic has been
heard.
- List of neighbors with which bi-directionality hasalready confirmed.
- List of MPR set of originator node.
HELLO messages are exchanged locally by neighbor
nodes and are not forwarded further to other nodes.
HELLO message is used for neighbor sensing and also
for selection of MPRs nodes.
2) TC messages are also emitted periodically by MPR
nodes. TC message contains the list of the sender's MPR
selector set. In OLSR, only MPR nodes are responsiblefor forwarding TC messages. Upon receiving TC
messages from all of the MPR nodes, each node can
An IDS for Detecting Misbehavior Nodes in Optimized
Link State Routing ProtocolAhmed Mohamed Abdalla, Imane Aly Saroit, Amira Kotb, & Ali Hassan Afsari
8/13/2019 An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol
http://slidepdf.com/reader/full/an-ids-for-detecting-misbehavior-nodes-in-optimized-link-state-routing-protocol 2/5
International Journal of Advanced Computer Science, Vol. 1, No. 2, Pp. 87-91, Aug. 2011.
International Journal Publishers Group (IJPG) ©
88
learn the partial network topology and can build a route
to every node in the network. This message is used for
route calculation.
The OLSR operation can be summarized as follows:
1- Neighbor sensing: To achieve that each node broadcasts to its 1-hop neighbors HELLO messages
periodically.
2- MPR selection : There are two types of sets
• MPR set this set of selected neighbor nodes for
each node from its 1-hop neighbors. When a node
sends a routing message, only the nodes that are in
its MPR set forward this message.
• MPR selector set. Each node also maintains
information about the set of neighbors that selected
it as MPR which is called MPR selector set.
3- Topology Diffusion: Nodes that were selected as MPR
must send TC messages to construct routing table. TC
messages are flooded in the network and only MPRsare allowed to forward TC messages. Each node in
OLSR protocol has two tasks: Correctly generate the routing protocol control
traffic
Correctly relay the routing protocol control traffic
on behalf of other nodes.
3. IDS Overview and Related
Works
Intrusion detection is defined as the method to identify“any set of actions that attempt to compromise the integrity,
confidentiality, or availability of a resource”.
For Mobile Ad hoc Networks, the general function of an
IDS is detecting misbehaviors by observing the networks
traffic in a Mobile Ad hoc [7]. Most of recent researches
focused on providing preventive schemes to secure routing
in MANETs [8-12]. Key distribution and establishes a line
of defense defined in [8], [9] is based on mechanism for in
which nodes are either trusted or not and if trusted they are
not compromised. Also contribution in [10], [12] considers
the compromise of trusted nodes. It is assumed that a public
key infrastructure (PKI) and timestamp algorithm are in
place. However, the above approaches cannot preventattacks from node who own a legitimate key.
It is necessary to understand how malicious nodes canattack the MANETs. A model to address the Black Hole
Search problem algorithm and the number of agents that are
necessary to locate the black hole without the knowledge of
incoming link Developed in [13]. Watchdog and path-rater
discussed in [14] but it is noticed that it increases the
percentage of overhead significantly with the percentage
increase of misbehavior nodes. Ex-watchdog [15]
suggests modifying the previous system to decrease of percentage of overhead.
[16] Introduces IDS which formulate the problem of
distributed collaborative defense against coordinated attacksas a dynamic game problem. The same group extends theirwork in [17] by proposing detection schemes that are
suitable to detect in-band wormhole attacks. The first
detection scheme uses the Sequential Probability Ratio Test
(SPRT)[18]. The SPRT has been proven to be an optimal
detection test when the probability distributions of both
normal and abnormal behaviors are given.
A feedback mechanism to secure OLSR against the linkspoofing attacks was provided in [19], [20] the solution
assesses the integrity of control messages by correlating
local routing data with additional feedback messages called
CPM sent by the receivers of the control messages.
Another formal approach to harden the MPR selection and
thwart the attacks against OLSR suggested in [21]. This
approach validates the routing table and the topology
information using trust based reasoning. Hence, each node
can verify the validity of the received HELLO and TC
messages simply by correlating the information provided by
these messages. A technique to detect the attack by
discussing a collusion attack model against the OLSR
protocol was presented in [22].
4. Proposed Mechanism For
Detecting Misbehavior Nodes
The misbehavior node detection process that we propose
validates the communication path and detects misbehavior
nodes in the invalid paths. The successfully detected
misbehavior node is added to a black-list then the attacker is
excluded from the routing table.
OLSR security vulnerabilities can be summarized in[19]:
• Identity Spoofing
• Link spoofing
• Traffic relay/generation refusal.
• Replay attacks
• Wormhole
In this study, we are focusing only on traffic
relay/generation refusal where the malicious node acts as a black-hole and drops packets. We introduced two types of
attackers. The type-1 attacker drops all the received packets.
The type-2 attacker is smarter and drops only data packets
and exchanges control packets normally.We extend the security of OLSR in two parts. The first
part validates the communication path by sending periodicmessages. The second part is concern about finding
malicious node in the invalid path.
The process starts by sending Path Validation Messages
(PVM) periodically to the destination at a specified interval,
as shown in Fig. 1 and algorithm 1
Fig. 1 PVM process
The destination node is required to acknowledge back to the
source with a reply-PVM to verify the validity of path along
8/13/2019 An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol
http://slidepdf.com/reader/full/an-ids-for-detecting-misbehavior-nodes-in-optimized-link-state-routing-protocol 3/5
Abdalla et al .: An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol 89
International Journal Publishers Group (IJPG) ©
which the data packets are transmitted. If the PVM fails to
reach back the source node before sending the next PVM, as
shown in Fig. 2, then the source node
Fig. 2 Attacker drops data packet
Increments the number of failed PVM. N failed PVMs
mean there is a problem in the path and the source node
triggers the attacker search process. The process starts bysending Attacker Finder Message AFM to each node in the
path to destination. Each intermediate node that receives
AFM is required to do:
• Reply back to the source node with a message(AFM b) that contains information about the
hop count and the next-node-to-destination
(NNTD).
• Send AFM to the destination through NNTD.
The source node waits for acknowledgment from the
intermediate nodes for a certain time. It updates the
potential attacker information the NNTD informationreceived from each AFM b received within the waiting time.
Once the wait passes the last NNTD stored at the source is
considered the attacker. This process is illustrated in Fig. 3.
Fig. 3 AFM process with type-1 attacker
If all the nodes along the path replied back to the source
with AFM b then the source starts the 2nd
process of theattacker search. This time the source sends to each node in
the path a PVM and waits for a period of time. If the
intermediate node replied back before the waiting interval,
the source sends PVM to the next intermediate node in the path. This process is repeated till the destination. If a node
fails to reply within the waiting time then it is considered
the attacker and added to the black-list. This attacker is
considered of type-2 where it was dropping the data packets
(PVM) but not the control packets (AFM).
Fig. 4 AFM process with type-2 attacker (AFM b is forwarded to S throughthe intermediate nodes but the arrows are directly connected to S for
illustration only)
An extra step is added to ensure the type-1 attacker is
correctly detected. A PVM is sent to the attacker and if itreplied back to the source then it is considered a false
detection and removed from the black-list consequently.
ALGORITHM 1 PVM PROCESSING
1 Source Send PVM to Destination as Data packets2 Increment PVM counter
3 If PVM counter > 3 then
4 Start AFM algorithm
5 End if
6 if receiver node = destination then
7 Send PVM b back to source
8 Else
9 Forward PVMf
10 End if
11 If receiver node = source then
12 Reset PVM counter
13 End if
ALGORITHM 2 AFM PROCESSING
1 Source sends AFMf to Destination and starts a waiting time2 If receiver node = destination then
3 Send AFMb back to source
4 Else
5 Forward AFMf to destination
6 Send AFMb back to Source with information about
next-node-to-destination(NNTD) and availability of routeto destination in the routing table
7 End if
8 If Source received AFMb came from Destination then
9 No attacker detected, start advanced detection
10 Cancel AFM wait timer
11 Send PVM to each node in path to D
12 If Source receive PVM from intermediate node then
13 Node is trusted
14 Else
15 Malicious node of type-2 is detected.
16 Add to blacklist table and end AFM process
17 End if
18 Else
19 Last NNTD known by S is suspected as type-1 attacker
20 Send PVM to NNTD
If PVM received then
21 NNTD is a trusted node
22 Else
23 NNTD is confirmed as an attacker
24 End if
25 End if
8/13/2019 An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol
http://slidepdf.com/reader/full/an-ids-for-detecting-misbehavior-nodes-in-optimized-link-state-routing-protocol 4/5
International Journal of Advanced Computer Science, Vol. 1, No. 2, Pp. 87-91, Aug. 2011.
International Journal Publishers Group (IJPG) ©
90
5. Simulation Results and
Discussions
The simulation results presented in this paper were
performed using the network simulator ns2 version 2.31[23]
with modified version of the UM-OLSR [24]implementation version 0.8.8 of OLSR. The OLSR protocol
implementation follows RFC 3626. The simulation
scenarios consisted of 30 wireless nodes over an area
1500mX300m for duration of 900 seconds. We selected a
rectangular shape area to have good node scattering and
collaboration.
The PVM messages were sent at a rate of 5% from the total
data messages. We started with no attacker then added 1,
2, and 3 attackers with each simulation.
The main objective was to successfully detect the attackers.
Table 1 shows that source nodes 13, 19, and 28 were able to
detect the attackers successfully when present in the path
Fig. 5 Overhead vs. # of attackers
Figure 5 shows the overhead of our proposed algorithm
with respect to the total OLSR control packets. The figure
above shows that when there is no attacker on the networkthe percentage of overhead is nearly 12% which is due to
that PVM packets are not dropped. Once an attacker is
introduced in the network the percentage of overhead is
reduced linearly with the increased number of attackers.Also the figure shows that smart attackers (attacker Type-2)
produce overhead that is slightly larger than normal attacker
(attacker Type-1) which can be contributed to the extra
process done by the type-2 process to send AFM and PVM
packets.
Fig. 6 Dropped Packets vs. # of attackers
Figure 6 shows the relation between percentages of dropped
packets versus number of attackers. We conclude from this
figure that percentage of the dropped data packets is small
with no attacker as packets are not dropped intentionally. As
the attacker is introduced in the network the number ofdropped packet increases proportionally with the increase of
the attackers. The figure above also shows that smart
attacker (attacker Type-2) drops less packets compared to
type-1 because smart attacker drops only PVM packets and
forwards AFM packets normally.
6. Conclusions and future works
We have presented an IDS mechanism based on
End-to-End connection for securing the OLSR protocol.
Our mechanism can detect many types of misbehavior
node(s) through the path between the source and thedestination then a blacklist of misbehavior nodes is created.
The simulation results showed that our mechanism able to
detect any number of attackers while keeping a reasonably
low overhead in terms of network traffic.
What we achieved so far is allocating misbehavior activityin the network and detecting the attacking node. We are not
expecting improvement in performance at this stage as the
first task was to detect the misbehavior node. We expect
better results once an action is taken to isolate misbehavior
nodes by utilizing the blacklist created.
Our future work will be focused on how to eliminate the
misbehavior node(s) from the path between source and
destination by selecting another path which does not containany misbehavior nodes.
TABLE 1LIST ATTACKERS DETECTED IN THE PATH
detector path attacker
28 28.12.23.26.26.23.0 12
28 28.1.14.0 14
28 28.21.5.0 21
19 19.16.9.12.0 12
19 19.7.14.23.0 14
19 19.21.13.0 2113 13.21.4.0 21
8/13/2019 An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol
http://slidepdf.com/reader/full/an-ids-for-detecting-misbehavior-nodes-in-optimized-link-state-routing-protocol 5/5
Abdalla et al .: An IDS for Detecting Misbehavior Nodes in Optimized Link State Routing Protocol 91
International Journal Publishers Group (IJPG) ©
References
[1] C. Perkins, E. Belding-Royer, & S. Das, “Ad hoc On-demandDistance Vector (AODV) Routing,” (July 2003) IETF RFC3561.
[2] D. B. Johnson, D. A. Maltz, & Y-C. Hu, “The DynamicSource Routing Protocol for Mobile Ad Hoc Networks
(DSR),” (April 2003) IETF Internet Draft , draft-ietf-manet-dsr-09.
[3] T. Clausen, P. Jacquet, A. Laouati, P. Minet, P. Muhltahler, A.Qayyum, & L. Viennot, “Optimized Link State Routing
Protocol,” (2003) IETF RFC 3626 .
[4] http://www.olsr.org[5] R. Ogier, M. Lewis, & F. Templin, “Topology Dissemination
Based on Reverse-Path Forwarding (TBRPF),” (March 2003) IETF Internet Draft , draft-ietfmanet- tbrpf-07.txt.
[6] I. Chakeres & C. Perkins, “Dynamic MANET On-demand(DYMO) routing,”
http://www.ietf.org/internet-drafts/draft-ietf-manet-dymo-08.txt, March 2007.
[7] A. Fourati, & K. Al Aghha "An IDS First Line of defense for
Ad Hoc Networks", (2007) in Proceeding of IEEE WCNC.[8] Y-C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure
On-Demand Routing Protocol for Ad hoc Networks,” (2002)
in Proceedings of the MobiCom, Atlanta, Georgia, USA,September 23-28.
[9] C. Adjih, Th. Clausen, Ph. Jacquet, A. Laouiti, P. Muhlethaler,& D. Raffo, “Securing the OLSR protocol,” (2003) In Proceedings of Med-Hoc-Net , Mahdia, Tunisia, June 25.
[10] D. Dhillon, T.S. Randhawa, M. Wang & L. Lamont,“Implementing a Fully Distributed Certificate Authority in an
OLSR MANET,” (2004) IEEE WCNC2004, Atlanta, GeorgiaUSA, March 21-25.
[11] D. Raffo, C. Adjih, T. Clausen, & P. Muhlethaler, “An
Advanced Signature System for OLSR,” (2004) in Proceedings of the ACM Workshop on Security of Ad Hoc andSensor Networks (SASN 04), Washington, DC, USA, October25.
[12] C. Adjih, D. Raffo, & P. Muhlethaler, “Attacks AgainstOLSR: Distributed Key Management for Security,” (2005)
2nd OLSR Interop/ Workshop, Palaiseau, France, July 28-29.
[13] Peter Glaus, “Locating a Black Hole without the Knowledgeof Incoming Link”, (2009) Algorithmic Aspects of WirelessSensor Networks, Lecture Notes in Computer Science, vol..5304. Springer-Verlag Berlin Heidelberg, p. 128,
http://www.springerlink.com/index/h8424573040077v5.pdf
[14] S. Marti, T. J. Giuli, K. Lai, & M. Baker, "Mitigating RoutingMisbehavior in Mobile Ad hoc Network," (Aug. 2000) in 6 th
International Conference on Mobile Computing and Networking, MOBICOM'00, p255-265.
[15] Nidal Nasser, & Yunfeng chen, "Enhanced IntrusionDetection System for Discovering Malicious Node in Mobile
Ad hoc Networks," (June 2007) Communications, 2007. ICC'07. IEEE International Conference on,pp. 1154-1159.
[16] John S. Baras, Svetlana Radosavac, George
Theodorakopoulos, Dan Sterne, Peter Budulas & RichardGopaul, “Intrusion Detection System Resiliency to ByzantineAttacks: The Case Study of Wormholes in OLSR,” (Oct. 2007)
Military Communications Conference, 2007. MILCOM 2007.
IEEE , pp. 1-7, Orlando, FL, USA.[17] Shanshan Zheng, Tao Jiang, J.S. Baras, A. Sonalker, D. Sterne,
R. Gopaul, & R. Hardy, "Intrusion detection of in-bandwormholes in MANETs using advanced statistical methods," ( Nov. 2008) Military Communications Conference, 2008.
MILCOM 2008. IEEE , pp. 1-7, San Diego, CA.
[18] M.T. Refaei, Yanxia Rong, L. A. DaSilva, & Hyeong-Ah Choi,"Detecting Node Misbehavior in Ad hoc Networks," (June2007) Communications, 2007. ICC '07. IEEE InternationalConference on, pp. 3425-3430, Glasgow.
[19] J.P. Vilela & J. Barros, "A Feed Reputation Mechanism to
Secure the Optimized Link State Routing Protocol,"(September 2007) The 3rd IEEE/CreateNet InternationalConference on Security and Privacy in Communication Networks, Nice, France.
[20] J.P. Vilela & J. Barros, "A Cooperative Security Scheme for
Optimized Link State Routing in Mobile Ad-hoc Networks,"(June 2006) Proc of the 15th IST Mobile and WirelessCommunications Summit , Mykonos, Greece.
[21] Asmaa Adnane , Rafael T. de Sousa, Jr., Christophe Bidan,Ludovic Mé, "Autonomic trust reasoning enables
misbehavior detection in OLSR," (2008) Proceedings of the ACM symposium on Applied computing , pp. 2006-2013.
[22] B. Kannhavong, H. Nakayama, N. Kato, Y. Nemoto, & A.Jamalipour, "A Collusion Attack Against OLSR-based Mobile
Ad Hoc Networks," (2006) in Proceeding of IEEE
GLOBECOM .[23] The Vint Project, "The Network Simulator –ns-2,"
http://www.isi.edu/nsnam/ns/index.html[24] F. J. Ro, "UM-OLSR Documentation," University of Murcia,
March 2005, http://masimum.dif.um.es/um-olsr/html